Starting from 26 August 2024, the highly anticipated Cyber Security Act 2024 (“Act”), along with four other key regulations, officially comes into force, marking the beginning of a new era in Malaysia’s cybersecurity legal landscape. This significant legislative development sets the stage for a strengthened regulatory framework aimed at protecting critical national infrastructure and enhancing the resilience of Malaysia’s cyberspace.
This article provides a comprehensive overview for general counsels, outlining the key elements of the new legal regime, with a particular focus on the designation of National Critical Information Infrastructure (“NCII”) sectors and the roles and responsibilities of NCII Leads and NCII Entities under the Act, alongside the licensing requirements for cyber security service providers.
Key Regulations in Force Alongside the Cyber Security Act 2024
First and foremost, it is important to recognize the four key regulations that were enacted simultaneously with the Act on 6 August 2024:
- 1. Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024: Defines the mandatory timelines for conducting cyber security risk assessments and audits, ensuring that organizations remain vigilant and proactive in identifying and mitigating cyber risks.
- 2. Cyber Security (Licensing of Cyber Security Service Providers) Regulations 2024: Establishes the requirements for obtaining a license to operate as a cyber security service provider in Malaysia, aiming to standardize the quality of cyber security services provided.
- 3. Cyber Security (Compounding of Offences) Regulations 2024: Outlines the process and conditions under which certain cyber security related offenses may be compounded, providing a mechanism for resolving infractions without resorting to lengthy legal proceedings.
- 4. Cyber Security (Notification of Cyber Security Incident) Regulations 2024: Stipulates the mandatory reporting requirements for cyber security incidents, ensuring that authorities are promptly informed of any threats or breaches, enabling a coordinated response to mitigate damage.
What is the Cyber Security Act 2024 About?
When we provide legal training to our clients on the Act, one of the most frequently asked questions is, “What is the Cyber Security Act 2024 about?” At its core, the Act and its accompanying regulations are designed to govern four key aspects of Malaysia’s cybersecurity framework:
- 1. Establishment and Governance of 11 NCII Sectors: The Act identifies 11 sectors designated as NCII sectors, which are critical to the nation’s security and economic stability.
- 2. Obligations of NCII Leads: The Act outlines the specific duties and responsibilities for NCII Leads—those entities designated to oversee cybersecurity measures within the NCII sectors.
- 3. Obligations of NCII Entities: It also specifies the obligations for individual NCII Entities, which are organizations that own or operate NCII.
- 4. Licensing Requirements for Cyber Security Service Providers: Lastly, the Act introduces a licensing regime for cybersecurity service providers to ensure a high standard of cyber security practices and compliance.
The sections that follow will provide a deeper analysis of each of these four aspects.
What is NCII and What are the 11 NCII Sectors?
The concept of NCII is central to the Act, and NCII is defined as “a computer or computer system which, if disrupted or destroyed, would have a detrimental impact on the delivery of any service essential to the security, defense, foreign relations, economy, public health, public safety, or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out their functions effectively.”
In simpler terms, NCII refers to the backbone of the nation’s essential services—those computer systems and networks that, if disrupted, could severely impact the country’s safety, economy, and government operations. Protecting these critical infrastructures from cyber threats is paramount to ensuring Malaysia’s national security and public welfare.
The 11 NCII sectors designated under the Act are as follows:
- 1. Government
- 2. Banking and Finance
- 3. Transportation
- 4. Defense and National Security
- 5. Information, Communication, and Digital
- 6. Healthcare Services
- 7. Water, Sewerage, and Waste Management
- 8. Energy
- 9. Agriculture and Plantation
- 10. Trade, Industry, and Economy
- 11. Science, Technology, and Innovation
These sectors represent the foundational pillars upon which the nation’s security and stability depend. By designating these sectors as NCII, the Act seeks to ensure that adequate measures are in place to safeguard critical infrastructure against cyber threats.
Appointment of NCII Leads
Upon understanding the scope of the 11 NCII sectors, the Act empowers the Minister to appoint any government entity or person as the NCII Lead for each of the designated sectors.
The Act allows the Minister to appoint more than one NCII Lead for each sector, providing flexibility to address the diverse needs and complexities inherent within each sector. The names of the appointed NCII Leads will be published on the official website of the National Cyber Security Agency, ensuring transparency and public awareness.
Key Responsibilities of NCII Leads
The Act outlines five key responsibilities for NCII Leads, focusing on the effective management and security of NCII within their designated sectors:
- 1. Designate NCII Entities: The NCII Lead is responsible for designating companies that own or operate NCII within their sector as NCII Entities. This designation ensures that entities critical to the sector’s functioning are identified and subject to the regulatory requirements under the Act.
- 2. Prepare Code of Practice: Each NCII Lead is responsible for preparing a Code of Practice, which must be endorsed by the Chief Executive. This Code of Practice will outline the necessary measures, standards, and processes required to secure the NCII within their sector.
- 3. Prepare and Maintain Best Practice Guidelines: In addition to the Code of Practice, NCII Leads are tasked with preparing and maintaining best practice guidelines related to cybersecurity management.
- 4. Monitor and Ensure Compliance: The NCII Lead is also responsible for monitoring and ensuring that the actions required of and duties imposed on the NCII Entities are carried out. This role includes oversight of compliance with the Code of Practice and any other relevant regulations, ensuring that NCII Entities meet their obligations under the Act.
- 5. Report Cybersecurity Threats and Incidents: Finally, the NCII Lead must prepare and submit a report to the Chief Executive on any cybersecurity threats or incidents that have affected the NCII within their sector. This responsibility is crucial for maintaining an up-to-date understanding of the threat landscape and ensuring that the government remains informed and can respond effectively to potential risks.
Legal Obligations for NCII Entities
The legal obligations imposed by the Act on NCII Entities are critical for ensuring compliance and avoiding severe penalties. This section is particularly relevant to companies that own or operate NCII, as non-compliance with these obligations can result in significant fines and imprisonment. The Act outlines five broad key obligations for NCII Entities, which are discussed below.
- 1. Duty to Provide Information Relating to NCII: NCII Entities have a duty to provide information concerning their NCII, which is further divided into three categories:
-
-
• Request for Information: The NCII Lead may request information regarding the NCII owned or operated by the NCII Entity, and the NCII Entity must comply with this request.
-
• Provision of Additional NCII Information: If an NCII Entity procures or gains control over additional NCII, it must automatically provide relevant information to the NCII Lead.
-
• Notification of Material Changes: Any material change to the design, configuration, security, or operation of the NCII must also be automatically reported to the NCII Lead.
-
-
Failure to comply with these duties could result in a fine of up to one hundred thousand ringgit or imprisonment for a term not exceeding two years, or both.
- .
- 2. Duty to Implement the Code of Practice: NCII Entities must implement the measures, standards, and processes specified in the Code of Practice. However, they may opt for alternative measures if they can demonstrate that these provide an equal or higher level of protection to the NCII.
- Non-compliance with this obligation can result in a fine of up to five hundred thousand ringgit or imprisonment for a term not exceeding ten years, or both.
- .
- 3. Duty to Conduct Cybersecurity Risk Assessment and Audit: NCII Entities are required to conduct a cybersecurity risk assessment in accordance with the Code of Practice at least once a year and an audit at least once every two years. The results of these assessments and audits must be submitted to the Chief Executive.
- Failure to conduct these assessments or submit the reports can lead to a fine of up to two hundred thousand ringgit or imprisonment for a term not exceeding three years, or both.
- .
- 4. Duty to Notify Cyber Security Incidents: In the event of a cybersecurity incident, the NCII Entity must provide an initial notification within six hours, detailing information such as the description of the cybersecurity incident, the severity of the cybersecurity incident, and the method of discovery. A full report must be submitted within 14 days, including details such as the number of hosts affected, information on the cybersecurity threat actor, and the incident’s impact.
- Non-compliance is severe, with penalties of up to five hundred thousand ringgit or imprisonment for a term not exceeding ten years, or both.
- .
- 5. Cybersecurity Incident Response Directive: Upon receiving a notification of a cybersecurity incident from an NCII Entity, the Chief Executive will investigate and may issue a directive on necessary measures to respond to or recover from the incident. The term “directive” underscores the importance of compliance.
- Failure to adhere to these directives may result in a fine of up to two hundred thousand ringgit or imprisonment for a term not exceeding three years, or both.
Licensing Requirements for Cybersecurity Service Providers
The Cyber Security Act 2024 introduces stringent licensing requirements for cybersecurity service providers. Under the Act, it is explicitly stated that no person shall provide any cybersecurity service, advertise, or in any way hold themselves out as a provider of such services unless they hold a valid license to do so.
The Act categorizes cybersecurity services into two (2) main types:
- 1. Managed Security Operation Centre (SOC) Monitoring Services: These are services that monitor the level of cyber security for the purpose of identifying or detecting cybersecurity threats to a computer or computer system, or determining the measures necessary to respond to or recover from any cybersecurity incident.
- 2. Penetration Testing Services: These services involve assessing, testing, or evaluating the level of cybersecurity of a computer or computer system by searching for vulnerabilities and compromising the cyber security defenses of the computer or computer system.
- Non-compliance with the licensing requirement is a serious offense under the Act, punishable by a fine not exceeding five hundred thousand ringgit, imprisonment for a term not exceeding ten years, or both.
Conclusion
The implementation of the Cyber Security Act 2024, along with the four accompanying regulations, marks a transformative moment in Malaysia’s cybersecurity framework. General counsels must stay informed and vigilant about these changes, ensuring that their organizations not only comply with the new requirements but also proactively protect their critical infrastructure from emerging threats in an increasingly digital world.
If your organisation has been designated as an NCII Lead or NCII Entity, and you would like us to assist you on the compliance with your obligations under the Cyber Security Act 2024, please do not hesitate to reach out to the partners at our Technology Practice Group, the contact details of which can be found below. The team is well-versed with technology and cyber security, and will certainly be able to assist in your endeavour.
About the authors
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.
.
Ong Johnson
Partner
Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”),
Fintech, TMT Disputes, TMT Competition, Regulatory
and Compliance
johnson.ong@hhq.com.my
More of our Tech articles that you should read: